Remarks of Sen. Al Franken on the Cybersecurity and Information Sharing Act of 2015
(as prepared for delivery)
M. PRESIDENT, I rise today to talk about the Intelligence Committee's bill that we are currently debating-the Cybersecurity Information Sharing Act of 2015 or CISA ("SY-sah").
This chamber sees its fair share of disagreement, so it is worth noting when there is something we can all agree on. And I think we can all agree on the need for congressional action on cybersecurity.
We face ever-increasing cyberattacks by sophisticated individuals, organized crime syndicates, and foreign regimes. These attacks pose a real threat to our economy and to our national security. It is clear that we must respond to these new threats, because the cost of complacency is very high.
But it is critical that, in deciding how to protect our information networks, we also continue to protect the fundamental privacy rights and civil liberties of Americans.
In short, there is a pressing need for meaningful, effective cybersecurity legislation that balances privacy and security.
Unfortunately, as it now stands, the Cybersecurity Information Sharing Act falls short.
Since this legislation was first introduced, I - and a number of my colleagues on both sides of the aisle - have raised serious concerns about the problems the bill presents for Americans' privacy and for the effective operation of our nation's cyberdefense.
My colleagues and I are not alone. Serious concerns have been raised by technologists and security experts; civil society organizations from across the political spectrum; and major tech companies, such as Apple, Dropbox, Twitter, Yelp, Salesforce.Com, and Mozilla. Neither the Business Software Alliance nor the Computer & Communications Industry Association support CISA as written.
In a letter I received from the Department of Homeland Security this summer, the agency - which has a leading role on cybersecurity for the federal government - expressed concern about specific aspects of CISA. DHS explained that, under the bill's approach, QUOTE "the complexity-for both government and businesses-and inefficiency of any information sharing program will markedly increase." END QUOTE.
The letter explained that CISA would do away with important privacy protections, and could make it harder - not easier - to develop QUOTE "a single, comprehensive picture of the range of cyber threats faced daily."
Now, Senator Burr and Senator Feinstein, the bill managers, have worked very hard over the last few months to improve various aspects of the bill, and their substitute amendment offers a significantly improved version of CISA. And I really appreciate their efforts.
But it is clear to me and others - the improvements do not go far enough. Major concerns - raised in the letter from DHS and voiced by security experts, privacy advocates, and tech companies - still have not been resolved.
Let me briefly describe three of them.
First, the bill gives companies a free pass to engage in network monitoring and information-sharing activities, as well as the operation of defensive measures, in response to anything they deem a "cybersecurity threat," no matter how improbable it is that it constitutes a risk of any kind.
The term "cybersecurity threat" is really the lynchpin of the bill: companies can monitor systems, share cyber threat indicators with one another or with the government, and deploy defensive measures to protect against any cybersecurity threats.
So, the definition of "cybersecurity threat" is pretty important. And the bill defines "cybersecurity threat" to include any action that "may result in an unauthorized effort to adversely impact" cybersecurity. Under this definition, companies can take action even if it's unreasonable to think that security might be compromised.
This raises serious concerns about the scope of all of the authorities granted by the bill and the privacy implications of those authorities. And security experts and advocates have warned that, in this context, establishing the broadest possible definition of "cybersecurity threat" actually threatens to undermine security by increasing the amount of unreliable information shared with the government.
I've written an amendment, which is co-sponsored by Senators Leahy, Wyden, and Durbin, that would set the bar a bit higher, requiring that a threat be at least "reasonably likely" to result in an effort to adversely impact security. This standard gives companies plenty of flexibility - they don't need to be certain that an incident or event is an attack before they share information, but they should at least have determined that it is a plausible threat.
But the definition of a cybersecurity threat isn't the only problematic provision of the bill. This brings me to a second concern I want to highlight.
The bill provides a blanket authorization that allows companies to share information QUOTE "notwithstanding any other provision of law." END QUOTE. As DHS explained this past summer, that statutory language QUOTE "sweeps away important privacy protections." END QUOTE. Indeed, it means that CISA would override all existing privacy laws-from the Electronic Communications Privacy Act (ECPA) to HIPAA, a law that protects sensitive health information.
Moreover, this blanket authorization applies to sharing done with any federal agency. Companies are free to share directly with whomever they may choose, including law enforcement and military intelligence agencies. This means that - unbeknownst to their customers - companies may share information that contains customers' personal information with NSA, FBI, and others. From a security perspective it also means that we're setting up a diffuse system that - as DHS's letter acknowledged - is likely to be complex and inefficient, where it is actually harder for our cybersecurity experts to connect the dots and keep us safe.
These are all reasons why privacy experts, independent security experts, and the Department of Homeland Security have all warned that CISA's blanket authorization is a problem.
Earlier this year, the House avoided this problem when they passed the National Cybersecurity Protection Advancement Act by a vote of 355-63. That information-sharing bill only authorizes sharing with the government through a single civilian hub at the Department of Homeland Security-a move toward efficient streamlining of information that is also good for privacy.
Finally, CISA fails to adequately assure the removal of irrelevant personal information. And this, of course, is a major concern. The bill allows personal information to be shared even when there is a high likelihood that the information is not related to a cybersecurity threat. Combined with the bill's overly broad definition of "cybersecurity threat," this basically ensures that private entities will share extraneous information from Americans' personal communications. If companies are going to receive the broad liability protection that this bill provides, they should be expected to do better than this.
Senator Wyden has offered an amendment, which I'm proud to cosponsor, which would require companies to be more diligent and to remove "to the extent feasible" any personal information that isn't necessary to identify a cybersecurity threat. This is a crucial improvement. But it's hardly novel: in fact, it's basically the same standard that is in place today when information is shared between private companies and the Department of Homeland Security. There is no justification for lowering that standard in CISA, especially because the bill also provides companies with significant liability protection.
M. President, the amendments I've talked about today, as well as a number of other pending amendments, would make CISA a better bill-one that is significantly more protective of Americans' privacy and more likely to advance cybersecurity. I want to strongly encourage my colleagues to support these amendments. Without them, I fear that, however well intentioned, CISA will do a disservice to the American people.